hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remus Rusanu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1972) Implement secure Windows Container Executor
Date Tue, 03 Jun 2014 10:04:02 GMT

    [ https://issues.apache.org/jira/browse/YARN-1972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14016358#comment-14016358

Remus Rusanu commented on YARN-1972:

[~vinodkv] I spent some time to go over the ' Localizer already does createUserLocalDirs'
issue and this here are my findings:

- both the DCE and the LCE create the local dirs before invoking the localizer. The DCE does
this in DefaultContainerExecutor.startLocalizer and LCE does it in container-executor.c:iniitalize_app().
Both create the user local dirs (base/$user), the appcache (base/$user/appcache), the appdir
(base/$user/appcache/$appid) and the log dirs. Both the DCE and the LCE use the first appdir
to copy the localizer token file(s) and both DCE and LCE use the first appdir as the current
directory (cwd) when launching the localizer. The only difference between DCE and LCE is that
the DCE also creates the user file cache (base/$user/filecache)

 - The localizer, in ContainerLocalizer.initDirs(), creates the app filecache (base/$user/appcache/$appid/filecache)
and the user file cache (base/$user/filecache). The localizer does not attempt to create user
local dirs (base/$user) nor appcache (base/$user/appcache) or appdir (base/$user/appcache/$appid).
Since the tokens file is located in the appdir and the appdir is also the localizer cwd, the
appid must exists before localizer launched. 

So currently the only overlap between the dirs created by DCE and the localizer is the user
file cache (base/$user/filecache). The WCE was modeled to do exactly what the DCE does, with
addition of setting permissions and ownership on the directories so created. I can remove
the creation of the user file cache (base/$user/filecache) from the DCE/WCE and let the localizer
create it instead. The TestDefaultContainerExecutor expects the user file cache to be created
by the DCE, I will also remove this expectation from the test.

> Implement secure Windows Container Executor
> -------------------------------------------
>                 Key: YARN-1972
>                 URL: https://issues.apache.org/jira/browse/YARN-1972
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager
>            Reporter: Remus Rusanu
>            Assignee: Remus Rusanu
>              Labels: security, windows
>         Attachments: YARN-1972.1.patch
> This work item represents the Java side changes required to implement a secure windows
container executor, based on the YARN-1063 changes on native/winutils side. 
> Necessary changes include leveraging the winutils task createas to launch the container
process as the required user and a secure localizer (launch localization as a separate process
running as the container user).

This message was sent by Atlassian JIRA

View raw message